hello.j23n.com / pass-import-1pux
Importer for 1Password 1pux files to passwordstore
fork atom
Python 100.0%
11 1 0

Clone this repository

https://tangled.org/hello.j23n.com/pass-import-1pux
git@tangled.org:hello.j23n.com/pass-import-1pux

For self-hosted knots, clone URLs may differ based on your setup.

Download tar.gz
README.md

pass-import-1pux#

Import 1Password 1pux exports to passwordstore with full history, attachments, and metadata preservation.

Getting Started#

  1. Install uv from https://docs.astral.sh/uv/getting-started/installation/.
  2. Export your 1Password data: File → Export → 1PUX format (⚠️ unencrypted - handle securely).
  3. Ensure gpg is configured with a key pair (gpg --gen-key if needed).
  4. Run uv run pass-import-1pux --input export.1pux --store ~/.password-store --gpg-id your@email.com to import.
  5. Access passwords with pass or pass -c path/to/entry (copies to clipboard).
  6. Shred the .1pux file when finished: shred -u export.1pux.

Architecture#

  • Frameworks: Python 3.8+ managed with uv. Entry point in src/pass_1pux_import/cli.py wires the import pipeline; core logic lives in parser.py, transformer.py, importer.py, and verifier.py.
  • Parser: OnePasswordParser (in parser.py) unpacks .1pux archives, extracts account/vault/item JSON, and resolves attachment file handles to their encrypted blobs.
  • Transformer: PassStoreTransformer (in transformer.py) maps 1Password items (Login/Password/SecureNote/Document/CreditCard) to passwordstore text format. Sanitizes vault/category names into filesystem paths (vault/category/title-username.gpg), handles collisions with UUID suffixes, and formats URLs/usernames/TOTP/tags/notes/attachments into structured entries.
  • Importer: PassStoreImporter (in importer.py) initializes the passwordstore git repo, commits transformed entries with pass insert, and replays password history by committing older versions first with backdated timestamps (GIT_AUTHOR_DATE/GIT_COMMITTER_DATE).
  • Verifier: PassStoreVerifier (in verifier.py) performs lossless-transfer checks after import: item count, UUID presence, attachment existence, password history depth, and critical field preservation (URLs/tags/notes).
  • Password history: Instead of inline text, the importer replays password changes as git commits with original timestamps. Retrieve old passwords via git log -p entry.gpg | gpg -d or git show HEAD~2:entry.gpg | gpg -d.
  • Attachments: Extracted from 1pux bundle and stored encrypted in <entry>.attachments/<filename>.gpg alongside their parent entry. Verifier confirms all attachment metadata points to real files.

Security Considerations#

  • The .1pux export is unencrypted. Store outside the repo, shred after import, never commit to version control.
  • Passwordstore entries and attachments are GPG-encrypted with your key. Confirm gpg -d works before relying on the store.

Disclaimer#

This software was vibe-coded with Anthropic's Sonnet 4.5 using Claude Code and OpenAI's Codex 🤖. Contributor and automation guidelines live in AGENTS.md.